Installing Plesk on Ubuntu 14.04LTS

I often find myself running through the same setup procedure while getting a server ready for clients. Our hosting platform for clients is Plesk so this is going to be a quick step by step cheat sheet. It won’t go into deep explanations on why each of these things are being done, but if you want a simple way to get Plesk installed and secured quickly you can follow these steps.

We’ll assume at this point that you are happy with the basics of using puTTY and WinSCP or similar.

Fresh Install of Ubuntu 14.04LTS

As your starting point you should have a shiny new VPS or dedicated server with Ubuntu 14.04LTS freshly installed from your hosting provider, these steps will likely work with most recent versions of Ubuntu, but at the time of writing this we use Ubuntu 14.04LTS on our production servers.

Start with some basic updates

To ensure we have the latest updates and patches of the basic install we run some updates.

While upgrading you will be given a Yes / No option, type yes and press enter to proceed with the upgrades.

Wait while the system runs through all updates.

Give the server its new name

At this point we want to set our hostname, this should be your servers intended FQDN (fully qualified domain name). The file to update will be located at:

etc/HOSTNAME

This file will likely be empty when you open it. Within this file you should include the FQDN that the server will be known by. It can be any domain or subdomain you own and can manage the DNS of (e.g. server.yourdomain.tld). You will need to create an A record on your DNS server managing this FQDN pointing to your servers IP address.

This will now be your servers hostname and you will be able to navigate to your Plesk control panel using this name when we are done. The line in the file should follow the following format:

1

server.yourdomain.tld

It’s important that you actually configure your DNS for your chosen FQDN to point to your servers IP address otherwise your Plesk installation will experience errors and will not complete.

Once done, reboot the server

Begin Installing Plesk and its requirements

Confirm AppArmor isn’t installed as it has some compatibility problems with Plesk, run this command:

1

sudo apt-get remove apparmor

Now we download and start the plesk installer script:

1

wget-O-http://autoinstall.plesk.com/one-click-installer | sh

Plesk should now be installed and running, you can confirm this by typing in:

/etc/init.d/psa status

You can now head on over to https://spinup.space//<your server IP>:8443 or your hostname that you configured a little earlier https://spinup.space//server.yourdomain.tld:8443

You can then login with the username root and your root password. On your first login you will need to accept the Plesk terms and conditions and you should configure an admin user when prompted. You will also need to fill in your details.

At this point you will either need to purchase a license, or you can try plesk free for 15 days.

Install Some Additional Services & Features

At this point we generally install some extra items that aren’t included in Plesk by default.

1

apt-get install mcrypt

1

apt-get install php5-mcrypt

1

apt-get install php5-ioncube-loader

1

apt-get install php-apc

1

apt-get install php5-memcached memcached

1

2

3

apt-get install php5-imap

php5enmod imap

service apache2 restart

Avoiding Slow DNS Response Times with resolv.conf

Occasionally a DNS server will slow down and start responding slowly producing a knock on effect to your servers response times, to help avoid this we can add a couple of extra lines to our configuration.

Navigate to: /etc/resolvconf/resolv.conf.d

Within this folder create a file named tail

Within this file include the following:

1

2

3

4

5

6

options timeout:1attempts:1

#nameserver 8.8.8.8 #Google NS1

#nameserver 8.8.2.2 #Google NS2

#nameserver 208.67.220.220 #OpenDNS2

#nameserver 208.67.222.222 #OpenDNS1

#options timeout:1 rotate attempts:1

You’ll notice most of these lines are commented out, but you can remove the # at the start of each line if you wish to use them.

The only line that we normally include is:

1

options timeout:1attempts:1

timeout:1 tells the server to timeout and try the next DNS resolver address if it takes longer than 1 second to respond. The attempts:1 setting changes the default behaviour to only try each DNS resolver once before trying the next DNS resolver option. It’s important that before you do this you confirm by running a ping test from your server that the default DNS provided by your server host responds faster than 1 second, if it doesn’t you can include either the Google or OpenDNS providers commented out in the example above, you may wish to do this anyway if they consistently respond faster than your hosts own DNS.

You can additionally include the rotate option (commented out in the bottom line) which will automatically cycle through all of the available DNS servers and can spread the load more evenly, otherwise it will consistently use the first DNS listed (unless it responds slower than 1 second after 1 try, in which case it will try the second DNS and so on).

Open up Passive ports on proFTPd server

edit /etc/proftpd.conf and add the following line to the end of the file:

1

PassivePorts2000020250

In this example we are using ports 20000 to 20250, but you can choose your own port number range so long as it doesn’t overlap any other active port allocations. This can be a bigger or smaller number range (in this example 250) but keep in mind the smaller the number the smaller the hole we’ll have to make through the firewall. Equally you need to ensure you have enough ports for all of your active FTP users. It’s theoretically possible for each active FTP user to use between 10 – 20 ports.

then restart the ftp service:

1

/etc/init.d/xinetd restart

Install mod_cloudflare to allow correct IP tracking of visitors

We generally use Cloudflare quite a bit for clients sites and if you want the tracking information of your site visitor and not Cloudflares server IP’s you’ll need to add a little code:

Auto reboot server when out of memory

As a last resort it can be better to automatically reboot your server when it runs out of memory than to let it hang for a long period of time. This will cause a minute or two of downtime, but it’s better than languishing in the swapping state for potentially hours or never recovering at all.

Create a file called /etc/sysctl.d/oom_reboot.conf and enter the following lines:

1

2

3

4

# panic kernel on OOM

vm.panic_on_oom=1

# reboot after 10 sec on panic

kernel.panic=10

Then confirm and activate with:

1

sysctl-p/etc/sysctl.d/oom_reboot.conf

Securing your Server

There are a huge number of things you can do to secure your server, I hope to go into some of these in more detail at a later date, but the following is a pretty good starting point.

Change your default SSH Port

modify /etc/ssh/sshd_config

change from:

1

Port22

to any port of your choice, make sure its not a port being used by any other service on your server, in this example I’ve used 4444

1

Port4444

Then restart the SSH service using this line:

1

service ssh restart

It’s important to remember to connect to SSH through your new port number from now on, so make it something you’ll remember.

Setup SSH Keys and disable password login

Install and configure CSF Firewall

CSF firewall isn’t controllable from within Plesk, however it’s a great adaptive firewall that can be made to work with Plesk, it simply needs to be managed from command line, which is easier than it sounds with a little practise.

So lets install CSF:

1

2

3

4

5

rm-fv csf.tgz

wget http://www.configserver.com/free/csf.tgz

tar-xzf csf.tgz

cd csf

sh install.sh

Then run the following line to confirm that CSF should be able to function fully on your system:

1

perl/etc/csf/csftest.pl

Now open the file /etc/csf/csf.conf with WinSCP or similar

This document is really well documented and is the core configuration of CSF. The great thing about CSF is its great documentation which is a good thing as it’s really quite a powerful firewall when set up correctly.

The configuration of this file will vary depending on your servers needs and environment and I suggest you take your time and read each option before you make a change, but the following are the ports that will always need to be configured to work with Plesk.

Please remember to swap out the 4444 for your own SSH port and the 20000:20250 to your own FTP Passive Ports. With a little trial and error you can also close some of these ports down if you don’t need the service they correspond to, but these should be a good starting point to open all ports Plesk will require.

Once you’ve configured your csf.conf just the way you want it you should open the csf.blocklists file located at/etc/csf/csf.blocklists

Again, this is a well documented file, but essentially it allows you to pick which of the available firewall block lists you would like to import into CSF as it’s base setting. It’s tempting to enable all of the block lists, but it’s recommended to just go with two or three as the IP block list can quickly become quite huge and can cause CSF to bog down your system with firewall rules, we’re looking for secure, not slow.

There are a number of other files that can be edited, the primary ones are listed below:

csf.conf – the main configuration file, it has helpful comments explaining what each option doescsf.allow – a list of IP’s and CIDR addresses that should always be allowed through the firewallcsf.deny – a list of IP’s and CIDR addresses that should never be allowed through the firewallcsf.ignore – a list of IP’s and CIDR addresses that lfd should ignore and not block if detectedcsf.*ignore – various ignore files that list files, users, IP’s that lfd should ignore. See each file for their specific purpose

If you modify any of the files listed above, you will need to restart csf to have them take effect

If you use Cloudflare you may wish to whitelist their IP’s, view their current IP list and add them to csf.allow to let them pass through your firewall.

CSF has very good documentation, but if you get stuck for the csf command you are looking for just type in:

1

csf-h

this should display all possible csf command lines

This isn’t intended as an in depth user guide to CSF, but one final feature you may want to check out is the emailed security report, from command line run the following:

1

csf-myou@youremailaddress.com

This will email you a report with a score and areas you can enhance your servers security.

Remove SSL3

Due to vulnerabilities in SSL3 it’s a good idea to remove all possible inclusions in all services. It’s possible to do this one at a time by visiting the configuration file of each service, thankfully however Plesk have made a little script to do all this in one go.

Recent Comments

Who to host with?

There are loads of great hosting providers out there, that being said there are LOADS of terrible ones too.

After a fair bit of trial and error we've found the best VPS Cloud providers to be Linode, Digital Ocean and Vultr, and we currently use all three, this site is hosted on a Vultr server.

There are numerous reasons for picking these providers and if I get enough time I may create a comparison and benchmarking post, but in the meantime I can tell you what we use each for.

Linode: Slightly higher price (and now only marginally with their latest packages), but rock solid stability and been in the marketplace a long time, we use these for client servers - prices start from $10 a month.

Vultr: The newest to the marketplace, but blazing fast servers at a good price, we use these for our own non-critical project company servers (but reliability has proven great!) - prices start from $5 a month.

Vultr have reached out with a $20 promotion link, just signup through this link and you'll receive $20 to try out their service completely free of charge

Digital Ocean: Somewhere in between Linode and Vultr, we use them for rapid deployment of more unusual customised setups - prices start from $5 a month.

*In the interest of full transparency if you buy through one of the above links I will receive a small commission. If you've found the information on this site useful and you're thinking of signing up with one of the above companies it would be great if you could click through from one of the links above... it won't make me rich, but it does help keep this site running ;)